A gang of Russian hackers has amassed over 1 billion username and password combinations and more than 500 million email addresses, a security firm reported late Tuesday, calling it the largest-ever haul of stolen Internet credentials.

The massive trove — stolen from hundreds of thousands of websites — was discovered by the Milwaukee firm Hold Security, according to a post on its website.

Although the stolen database does not appear to contain payment card information, the sheer size of it represents a significant threat to companies and consumers, Steven Chabinsky, chief risk officer and general counsel for the cyber-threat tracking company CrowdStrike, told POLITICO.

That’s because many people defy security experts’ advice and reuse passwords. So, once the criminal ring has the username and password combination to access one account a person holds, they often try using that name and password — or slight variations on it — to access other accounts, Chabinsky said. In that way, access to a personal email account can lead the attackers to online banking accounts or to sensitive corporate information.

“The volume of these records allows hackers to do their own form of big data analytics, scouring passwords and using them in attacks not only against these corporate victims but against others as well,” said Chabinsky, who was previously deputy assistant director of the FBI’s cyber division.

Intrusions against large retail or other chains designed to steal payment card information or other personal data en masse have multiplied in recent months. Most famously, retail giant Target was hit over the holidays last year, and 40 million payment card numbers were stolen. Many of the hacker gangs behind these attacks are based in Russia and Eastern Europe, which have grown into global centers of cybercrime while Russian officials have largely turned a blind eye.

The U.S. has ramped up extraditions and prosecutions of Russian cyber criminals, but that has not stemmed the tide. Last month, the Justice Department brought charges against the son of a Russian parliamentarian arrested in the Maldives, Roman Seleznev, who it accused of being one of the world’s most prolific cyber thieves of credit card information.

The value of the database will depend in part on how fresh the Internet credentials are, meaning the percentage of the accounts in it that are still active, Chabinsky said. But even information about defunct accounts can give valuable clues about the passwords to current ones, he noted.

Hold Security did not reveal the list of compromised websites but told The New York Times, which broke the story, that it ranges from household names to obscure sites. The Times hired an independent security expert to verify the data trove. Some large U.S. companies are already aware that their records are among the stolen data, another expert who looked at the records told the Times.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Hold Security Founder Alex Holden told the Times. “And most of these sites are still vulnerable.”

The hacking ring does not appear to have sold many of the records so far and is largely using the stolen information to spam social networking sites on behalf of other groups, the Times reported.

The logon information and passwords were stolen using a hacking technique known as SQL injection. The hack essentially commandeers an online database — like one holding the names and passwords for all of a site’s registered users — allowing hackers to steal its contents.

The hackers began using amateur spamming techniques in 2011 but accelerated to much more complicated schemes in April. The group likely partnered with another entity that helped them use large networks of infected computers known as botnets to do their work, Holden suggested.

The hackers do not appear to be connected with the Russian government, Holden said, although some cybercrime gangs are said to have links to Russian intelligence.

Hold Security has been in contact with the hacking ring, which it describes as “based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia,” and comprised of “fewer than a dozen men in their 20s who know one another personally — not just virtually.”

Some Russian sites were among the victims, and Holden told the Times he plans to alert Russian law enforcement about the hacks.

“This is clearly consistent with what we’re seeing in organized cyber criminal fraud activity,” Chabinsky said of the Russian ring. “The fact that it continues to occur suggests a greater opportunity for law enforcement to be involved internationally to break up these organized crime rings.”

The fact that the cyber criminal ring has remained in an isolated region near the Kazakhstan border suggests officials in that town are quite tolerant of the group’s criminal activity, Chabinsky said.

“You can be very wealthy in New York City and no one suspects your gains are ill-gotten,” he said. “When you’re in a region of the world where people are making less than $10,000 a year and you’re making millions, it becomes pretty clearly pretty quickly there’s some sort of illegal activity.”